Monday, December 17, 2007

Lessons learned - vundo and Beacon make out at badware reunions

This Saturday I spent most of the day working on removing variants of the vundo Trojan dropped on my most favorite and dear in-laws.

It's unclear how they got the little jerk on their machine, but Norton Real-Time Protection picked it up almost immediately, and started broadcasting the fact that it couldn't do anything about it. More than likely, someone clicked on a link in a spam email.

So, while this harangue has something to do with trojan removal, and 'ultimate' Windows boot CDs, it also has something to do with online privacy.

Here are some little vignettes I would like to impart:
  1. Vundo is malware that's part adware part trojan, and while it's not all that serious to your machine (nothing's going to blue screen you), it is extremely hard to remove.
  2. There's so much 'information' on the internets about removing 'vundo' and its variants that I won't contribute to the noise. The entry on wikipedia is a fair summary. Needless to say, Symantec and McAfee don't provide methods to remove. It would seem that while these companies used to develop fixes for issues like these, there are more and more niche businesses and open source developers out there that create specialized tools that make a company like Symantec's investment in development for one trojan foolish and unnecessary.
  3. My method of removal consisted of making a Windows boot CD, which allows your copy of XP to load from CD, and removing all the adware and malware I could find, then by manually removing the randomly named dlls (c:/windows/system32...) that vundo creates. Those little bastards would still be in use even in Safe Mode. Even using a process tool that could suspend certain processes so adware or malware removal programs (like Ad-Aware or SpyBot Search and Destroy) could scan the hard drive didn't remove the thing.
  4. This all relates to protecting your privacy. EPIC has a bunch of safe tools that can be employed to aid in the quest to maintain your anonymity, but once something (trojans, worms, or other viral nasties) is on your machine you should consider yourself compromised and take steps to sever your connection with the internet, as these pieces of code can track your keystrokes, harvest your emails from your address book, harvest password information, or at least turn your machine into a zombie, which will then be used by some 15-year old hacker in the Netherlands to run a distributed denial of service execution against eBay.
  5. Oh, and make your wireless network secure. I had to check email on the road one day and just drove around and refreshed the available networks until I found one that wasn't locked down. If you don't change your administrator login (like your password from 'password'), then someone who knows the manufacturer's default credentials can just hop on your network, access the router, login, and get whatever they want from any machine connected to the network.
  6. While consumer regulation defeated the intrusions of Facebook's Beacon, and has launched AskEraser, which allows you to anonymize your query activity through the site, the larger issues are: Ask gets some of its results returned from Google, and Google doesn't anonymize this information, and everything that goes through your ISP (like AT&T or Comcast) is stored on their servers and personally identifies you.
  7. Will consumer regulation activity extend to government regulation? Seems like we don't have a problem complaining to Facebook about our shopping information being made available to perfect strangers, but for some reason our government seems content to perpetuate the military-industrial complex when it should be focused on evolving from an country that requires a surge of troops to bump up the economy. Is the populace not vocal enough? Is all this talk about torture farming and warrantless wiretaps spooking the citizenry into silence?

No comments: